The US Needs One Cyber Defense Agency—Not Three, a Top NSA Official Says

In this picture taken on March 5, 2015, a map of the United States displayed on a computer screen shows cyber attacks in real time at the headquarters of Bitdefender, a leading Romanian cyber security company, in Bucharest, Romania.

With the job divided between NSA, FBI, and DHS, 'we need to rethink how we do cyber defense as a nation.'

The U.S. government ought to consider forging stronger ties between agencies that manage cybersecurity, including possibly unifying their cyber defense components in a single agency, the National Security Agency’s top cyber defender said today.

Combining aspects of NSA, the FBI and the Homeland Security Department into one cyber defense organization would give cyber defenders a clearer picture of what they’re up against when government computer networks are breached and it would speed up response times, Curtis Duke, NSA’s deputy national manager for national security systems, told an audience at the American Enterprise Institute.

“I’m now firmly convinced that we need to rethink how we do cyber defense as a nation,” he said.

Currently, NSA defends the government’s national security systems against cyberattacks. DHS is in charge of defending non-national security systems and the FBI investigates the criminal aspects of cyberattacks.

Subscribe

Receive daily email updates:

Subscribe to the Defense One daily.

Be the first to receive updates.

DHS typically requests NSA’s help when the government is responding to a major attack such as the 2015 breach of sensitive records about 21.5 million people from the Office of Personnel Management. But it can take days or even a week before government officials complete the paperwork to get NSA on site, Dukes said.

That means NSA investigators lose time and precious insights, he said.

Investigations are further delayed while the three major cyber departments figuring out who should take the lead and what their priorities are, he said.

“Who’s going to be in charge? Is it always going to be a criminal matter? Or, when it’s non-national security is it DHS and when it’s national security is it NSA?” he said, laying out the difficulty.

“By the time we get that all sorted out, we’re at a disadvantage when it comes to an adversary,” he said.

As a possible model for combining agencies’ cyber capabilities, Dukes suggested Britain’s National Cyber Security Centre where cyber defenders with the British spy agency GCHQ provide defense for the entire government.

Any realignment of cyber responsibilities that significant in the U.S. would require action by Congress. The Obama administration has made smaller moves to unify cyber operations, such as launching the Cyber Threat Intelligence Integration Center in 2015, which shares cyber threat information, such as known software vulnerabilities, throughout government.

Dukes also bemoaned the poor state of government cyber defenses during his speech at AEI and during a question and answer session that followed. He noted that all major U.S. government breaches during the past year relied on software vulnerabilities that were already known and could have been patched.

“In the last 24 months, OPM, [the Executive Office of the President] and the State Department weren’t particularly well protected, so the adversary didn’t have to use a zero day,” he said referring to software vulnerabilities that aren’t known by the manufacturer or by cyber defenders. “They could use a known exploit that they knew had not had a patch installed.”

Duke’s goal, he said, is to “raise the cost to the adversary. They’ll, then, have to start actually using zero days against us,” he said.

Dukes declined to say whether a collection of zero days and other hacking tools recently disclosed by a group called Shadow Brokers is the same collection allegedly stolen by former NSA contractor Harold T. Martin III who was arrested in August.

He noted that Cisco and other companies have patched vulnerabilities exposed by that leak.

Joseph Marks covers cybersecurity for Nextgov. He previously covered cybersecurity for Politico, intellectual property for Bloomberg BNA and federal litigation for Law360. He covered government technology for Nextgov during an earlier stint at the publication and began his career at Midwestern ...
Full bio

By using this service you agree not to post material that is obscene, harassing, defamatory, or
otherwise objectionable. Although Defenseone.com does not monitor comments posted to this site (and
has no obligation to), it reserves the right to delete, edit, or move any material that it deems
to be in violation of this rule.